How does node.bcrypt.js compare hashed and plaintext passwords without the salt?

Question

From github:

To hash a password:

var bcrypt = require(\'bcrypt\');
bcrypt.genSalt(10, function(err, salt) {
    bcrypt.hash(\"B4c0/\\/\", salt, funct         


        

Answer 1

Because I had the same question myself, I know exactly what you are thinking about.

You have a misconception between "Secret Key" which is used in Cryptographic algorithms and "Salt" which is used to slow down the encryption process and make it harder for hackers to use brute force.

When you use the plain password and the salt to generate the hash, this hash uses as secret key the password itself! So the next time you will try to compare it with a plain password, this plain password must be the exact same one you used to generate the hash! So this is why you don't have to store it somewhere else because it is always provided by the user on both register and login steps!